What is the most stable/best software to create a forensic image of a server?

I have a client who need me to create a forensic image of one of their servers. Unfortunately, the server that I am imaging has a RAID Volume that has a 7TB partition with almost 5TB of data. I am attempting to image to a NAS device that we have onsite. Tools I have used up to this point seem to crash part of the way through.

if you take a look at this pdf from US DoJ, the case study stated the use of encase used by enforcement forensic investigator for imaging and also chain of custody (do see chapter 3 on Evidence acquisition

Encase and FTK can be one option to explore but the software based cloning of huge TB and storing live into NAS can be slow and prone to network disturbance. I was thinking if using dd for bit copy and cross cable to NAS (or a physically accessible staging store to be later pump over to NAS backup) in simplistic baseline be more stable and faster instead of over the wire across network.

But this article stated various means to acquire RAID server though it did not drill further but concluded and eventually concluded it is still viable with with the gigabit NIC in the target server to be cloned. The time taken is not impressive but definitely faster across the network and will get the job done.

There may be newer evolution schemes (or existing) that use image splitting since creating a large single case raw data dump is not filesystem performance friendly. FTKimager is another tool which the article shed steps in imaging that include specifying fragment size of image split. which we can hear from more experts too.

Overall, I perceive for stable cloning, direct may be better compared to dedicated n/w but restrictive in use case where physical access is not viable. However, forensic tool cloning coverage objective leans more towards cloning with integrity intact from source to destination and the remaining external factors and dependencies causing n/w errors tampering the data are beyond the tool control. A separate logical LAN for such cloning is preferred and during off peak, but it quite a hassle and probable direct will be more quicker as shared in the articles.

Compatible with all Windows file systems (FAT16, FAT32, NTFS,ReFS), Supports Linux EXT2/3/4/Reiser/XFS, and compatible with all Windows RAID Methods, It can split the image file in different sizes to avoid storage destination problems.

encase and ftk are recognised. importantly, it is maintaining the chain of custody of the evidence to be submitted. As long it is verifiable proof with high integrity against tamper data, it is legally still valid. It should not be tool driven (as much as I hope so). To clarify for Casper, it does clone drive image (SmartClone, AccuClone) and not just backup

Thanks. Would I be able to take an image using Casper and use one of the other forensic programs to seasrch through image? Meaning Does Casper create images in any of these formats IMG, DD, ISO,BIN, 000,001,NRG,SDI,AFF,AFD,AMF,.E01,S01 ?

Casper does bit copy however the img is direct copy to the destined drive e.g.

Casper can be instructed to clone the entire contents of one hard disk to another hard disk, or clone a specific partition/volume to another partition/volume. When using the Copy an entire hard disk method, Casper completely replaces the existing content of the destination device, master boot record, existing partition structure, etc.

For the court you need a spftware which is officially certified. First check in court or by lawer if there is any of such imaging software which is officially recognized and accepted.
As for the search - you can take backup with Paragon, mount the image using Windows Disk Manager as the image is in vhd or vmdk format. Then use Windows search.

if you take a look at this pdf from US DoJ, the case study stated the use of encase used by enforcement forensic investigator for imaging and also chain of custody (do see chapter 3 on Evidence acquisition that depicted the steps ) required for all admissible evidence (proof authenticity from original author to holder)https://www.ncjrs.gov/pdffiles1/nij/199408.pdf

one key point of acquisition is also that a write blocker capable tool or software is required such that the process will not taint the original evidence. The govt lab stated Forensicsoft SAFE (e.g.The Windows boot disk contains advance software write blocking technology that will block hardware RAID. This allows investigators to image the entire RAID volume at once.)http://www.dfcsc.uri.edu/research/boot and http://www.forensicsoft.com/safe_compare_chart.php

0

Featured Post

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

As hardware bugs go, this is a strange one! I upgraded a laptop in December 2011 with a 512GB Crucial m4 2.5-inch/9.5mm SATA Solid State Drive (SSD), Crucial part number CT512M4SSD2:
http://www.crucial.com/store/partspecs.aspx?IMODULE=CT512M4SSD2
…

AWS Glacier is Amazons cheapest storage option and is their answer to a ‘Cold’ storage service. Customers primarily use this service for archival purposes and storage of infrastructure backups. Its unlimited storage potential and low storage cost …

This video teaches viewers how to encrypt an external drive that requires a password to read and edit the drive. All tasks are done in Disk Utility.
Plug in the external drive you wish to encrypt:
Make sure all previous data on the drive has been …

This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target.
To install the necessary roles, go to Server Manager, and select Add Roles and Featu…